Executive Summary

CVE-2026-46612 is a security vulnerability in the Fission storagesvc component, which is part of an open-source Kubernetes-native serverless framework. Before version 1.23.0, the storagesvc registered archive CRUD HTTP handlers without any authentication or authorization. This means that any user or workload within the same Kubernetes cluster that could reach the storagesvc ClusterIP could perform unauthorized actions such as enumerating archive IDs, downloading archives belonging to other tenants, uploading arbitrary archive content, and deleting archives.

The root cause was the lack of authentication middleware on these HTTP endpoints, leaving them exposed. Although network-layer protections like Kubernetes NetworkPolicies could mitigate the risk, these were not enabled by default and were not sufficient to fully protect the service.

The vulnerability was fixed in version 1.23.0 by introducing HMAC-SHA256 application-layer authentication for internal HTTP requests, enforcing request signing and verification using a shared cluster master secret. Additionally, NetworkPolicies were added by default to restrict access to the storagesvc component.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts on confidentiality, integrity, and availability of your Fission serverless environment.

• Confidentiality: Unauthorized users or workloads can enumerate and download archives belonging to other tenants, potentially exposing sensitive data.
• Integrity: Attackers can upload arbitrary archive content, which could lead to execution of malicious code or tampering with legitimate functions.
• Availability: Attackers can delete archives, disrupting function deployments and causing denial of service.

Because the vulnerability allows any pod in the cluster with access to the storagesvc ClusterIP to perform these actions without authentication, it poses a high risk especially in multi-tenant or shared Kubernetes clusters.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves unauthorized access to the Fission storagesvc component's archive CRUD HTTP endpoints without authentication or authorization. Detection can focus on identifying unauthorized access attempts to these endpoints (/v1/archive GET, POST, DELETE and /v1/archives list) on the storagesvc ClusterIP within your Kubernetes cluster.

You can detect potential exploitation by monitoring network traffic or logs for requests to the storagesvc service on ports 8000 and 8080, especially from unexpected pods or namespaces.

Suggested commands include:

• Use kubectl to check for storagesvc service endpoints and pods: kubectl get svc -n <namespace> storagesvc
• Monitor logs of storagesvc pods for unauthorized access attempts: kubectl logs -n <namespace> <storagesvc-pod-name>
• Use network monitoring tools (e.g., tcpdump or Wireshark) on nodes to capture traffic to storagesvc ports 8000 and 8080.
• Check for active NetworkPolicies restricting access to storagesvc: kubectl get networkpolicy -n <namespace>
• Inspect audit logs or API server logs for unusual requests to storagesvc endpoints.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability immediately, you should upgrade Fission to version 1.23.0 or later, where the issue is fixed by adding HMAC application-layer authentication and NetworkPolicies to restrict access.

If upgrading is not immediately possible, you should:

• Enable the Helm chart's NetworkPolicy for storagesvc to restrict ingress traffic only to necessary pods such as executor, builder, and fetcher.
• Manually apply Kubernetes NetworkPolicies to limit access to the storagesvc service, allowing only trusted pods to communicate with it.
• Review and restrict service account permissions to minimize which pods can access storagesvc.
• Monitor and audit access to storagesvc endpoints to detect and respond to unauthorized usage.

The fix in version 1.23.0 includes a 32-byte random master secret for HMAC authentication, per-service signing keys, and middleware enforcing authentication on storagesvc endpoints, which should be used to fully secure the environment.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in Fission storagesvc allows unauthorized access to archive data, including the ability to enumerate, download, upload, and delete archives belonging to other tenants within the same Kubernetes cluster. This unauthorized access can lead to breaches of confidentiality, integrity, and availability of sensitive data.

Such unauthorized data access and manipulation can violate compliance requirements under common standards and regulations like GDPR and HIPAA, which mandate strict controls over access to personal and sensitive data to protect privacy and ensure data security.

The lack of authentication and authorization on storagesvc endpoints prior to version 1.23.0 means that organizations using vulnerable versions could be exposed to non-compliance risks due to potential data exposure or tampering.

The fix introduced in version 1.23.0, including HMAC application-layer authentication and NetworkPolicies, helps mitigate these risks by enforcing access controls and reducing the likelihood of unauthorized data access, thereby supporting compliance efforts.

Useful 0 Not Useful 0